CAA error when issuing a certificate

r-ricci · October 26, 2025, 10:13pm

My domain is: r-ricci.it

I ran this command:

uacme --hook /usr/share/uacme/uacme.sh --force --type=EC issue snac.r-ricci.it

It produced this output:

uacme: failed to finalize order at https://acme-v02.api.letsencrypt.org/acme/finalize/2745389911/442025748431
uacme: the server reported the following error:
{
    "type": "urn:ietf:params:acme:error:caa",
    "detail": "Error finalizing order :: rechecking caa: During secondary validation: While processing CAA for snac.r-ricci.it: CAA record for r-ricci.it prevents issuance",
    "status": 403
}

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: no

The version of my client is: uacme v1.7.6

CAA records:

$ delv r-ricci.it CAA
; fully validated
r-ricci.it.             3600    IN      CAA     128 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/2745389911;validationmethods=http-01"
r-ricci.it.             3600    IN      CAA     128 issuewild ";"
r-ricci.it.             3600    IN      RRSIG   CAA 13 2 3600 20251106000000 20251016000000 47676 r-ricci.it. Lp2J0H8u6rqLceXcKkdNXAUb4vTS7170XXjTYiB7+DdetCIarWSp6+j5 FATAYSAQLVUW2mUgtpZkMZJoJUFwOw==

orangepizza · October 26, 2025, 10:39pm

from I looking at rfc example and other sites using it, you may need space between ; and start of next parameter

MikeMcQ · October 26, 2025, 10:40pm

The "secondary" validation failure means the primary Let's Encrypt center saw a good CAA but one or more of the secondary centers around the world did not.

Do you know why your DNS servers would respond differently depending on where in the world the DNS query comes from? Such as distributed DNS with some kind of sync problem?

I don't see any problem with some common tools we use. Does this problem repeat or was it just a one-time thing?

r-ricci · October 26, 2025, 10:55pm

According to section 4.2 zero or more whitespace characters are allowed (*WSP). And the Letsencrypt server actually trims the white space.

r-ricci · October 26, 2025, 10:58pm

I use the DNS servers of my registrar, so I don't know why they are out of sync. Maybe I just have to wait more and let the changes propagate. I only enabled CAA today.

Osiris · October 26, 2025, 11:41pm

Why are you forcing multiple renewals when you should have plenty to use already?

You already have 5 certs issued recently: crt.sh | snac.r-ricci.it

You're gonna get rate limited if you keep this going.

r-ricci · October 27, 2025, 7:58am

I know. I should have used the staging environment. I've been testing different configurations. Once it works, I'll remove the --force flag and set up a cron job.

MikeMcQ · October 27, 2025, 10:31am

Be sure to add a CAA record with your staging account too

Bruce5051 · October 27, 2025, 4:58pm

Supplemental information:

The online tool Let's Debug is showing these results https://letsdebug.net/snac.r-ricci.it/2601798

Topic		Replies	Views
Help diagnosing CAA failures `ns1.cyso.nl` Help	14	3602	August 23, 2017
DNS problem: SERVFAIL looking up CAA for solarexchange.agl.com.au - the domain's nameservers may be malfunctioning Help	5	1200	December 31, 2020
Zahnarzt-kramer.ch Renewing certificate Help	5	502	April 3, 2020
Certificate stuck in 2021-01-27 11:33 GMT Let’s Encrypt: Error finalizing order :: Rechecking CAA for \ Issuance Policy	10	1804	February 27, 2021
CAA record prevents issuance Help	6	4221	February 23, 2020

CAA error when issuing a certificate

Related topics